Add Azure managed identity Postgres DB login support

[nbjohnson]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Since postgresql has been supported as a backend DB, can support be added for retrieving a token using a managed identity rather than providing a static password, in my case specifically Azure, but might be straightforward to support multiple cloud providers depending on others' implementation.

Why is this needed?

Adding support for identity auth will improve the security posture of step-ca as it is one less static credential, especially for a critical service.

Possible Implementation

Based on the docs it seems the implementation would be a request to the IMDS to retrieve a temporary token that can be used as a password alongside the username in the connection string. I believe the hardest part would be determining the expiration time of this credential and automatically renewing it before expiration to prevent a loss of connection.

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-with-managed-identity#retrieve-the-access-token-from-the-azure-instance-metadata-service

[dopey]

Hey @nbjohnson 👋 . Thanks for opening the issue!

Discussed this issue with the team today and below are our thoughts:

We don't want to introduce new inconsistencies in support for platforms. So, we would need to implement and maintain similar login support for other popular clouds. We do not want to be on the hook for maintaining managed identity support across cloud platforms.

Instead, we believe that this type of support may already be possible using the PG environment variables. We use the pgx client which should have support for respecting those environment variables. So, instead of us building in support for a new authentication method, users could hopefully leverage existing support by setting the PGPASS variable to whatever they like. Could you try this out and let us know the results?

cheers 🍻

[nbjohnson]

@dopey Thanks for taking a look at my request. Yes I did see the ability to pass creds with those environment variables which I also think would work. However, I don't think that is the limiting factor here. To use an identity means the credential is only valid for a short time, so I think code would need to be added to be able to periodically retrieve a new credential and to make sure it does that before the existing short lived cred expires

[dopey]

After discussion with the team, we're not looking to add authorization methods to smallstep/nosql, with the exception of x509 certificate based authentication. Users can already exchange Azure managed identity credentials for certificates (using the IID provisioners). The remaining part would be integrating client certificate authentication into smallstep/nosql as well as providing tooling around renewal.

Unfortunately, we don't have the resourcing to prioritize integrating certificate based authentication against the storage layer at this time. If someone from the community is interested in taking this on, let us know and we can chat about requirements.

[avo-sepp]

One of the challenges with password authentication are corporate password renewal policies. Managed Identiteis give us a path to set-it-and-forget-it.

@dopey can you explain the x509 authentication method? Are you saying I can generate an x509 to authenticate with Azure services? Are you suggesting I can achieve a similar result as the managed identity using the method you described? Is there a doc for that approach?